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Abstract. We present two new definitions of security for quantum ciphers which are inspired by the 
definition of entropic security and entropic indistinguishability defined by Dodis and Smith. We prove 
the equivalence of these two new definitions. We also propose a generalization of a cipher described by 
Dodis and Smith and show that it can actually encrypt n qubits using less than n bits of key under 
reasonable conditions and yet be secure in an information theoretic setting. This cipher also totally 
\£) ' closes the gap between the key requirement of quantum ciphers and classical ciphers. 
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1 Introduction 



In a seminal paper, Goldwasser and Micali [6], proposed a new definition of security in classical 
cryptography. In this article, they gave two new definitions of security, semantic security and in- 
distinguishability, and proved that they are in fact equivalent. This was a significant paradigm 
shift from previously used security definitions. Both definitions rely on limitations imposed on an 
q-i adversary that would intercept a cipher text, that is, the adversary is limited to be a probabilistic 

polynomial-time machine. This is fundamentally a computational security setting. How to trans- 
late these definitions to the information setting remained unknown for years. Russell and Wang [9] 
introduced in 2002 a satisfactory definition for the information theoretic setting. In their paper, 
Russell and Wang shifted the limitations imposed to the adversary from computational limitations 
to entropic limitations: the adversary limitation is in fact a lower bound on its min-entropy on the 
message space, bound which we will denote by t. It is to be mentioned that similar concepts for 
hash functions had already been developed by Canetti et al. in [3 4J. Unfortunately, Russell and 
Wang had limited the scope of their definition by requiring that the adversary could not predict any 
predicate of the message based on the cipher text. Furthermore, their proof was rather involved. 
This was remedied by Dodis and Smith [5j who extended the definition to all functions, gave a 
new definition of entropic indistinguishability similar to that of Goldwasser and Micali and proved 
the equivalence between the two. They also provided three different encryption schemes and proofs 
that they are secure according to entropic security. Entropic security is, in a sense, surprising since 
it is allowing relaxation of the traditional informational theoretic security definition that goes back 
to Shannon. Indeed, if one requires that the mutual information between the cipher text and the 
message be smaller than some e, then one can only shorten the key length by e bits. Entropic secu- 
rity lets one reduce the key size to n — t + 2 log (1/e) + 0(1) bits [5], which constitutes a nontrivial 



improvement. If the reader whishes to gain some intuition on why this is possible, we advise him 
to read the introduction of [5]. 

In parallel to this development, quantum security began with a Shannon-like definition of security 
which requires the cipher text £{p) to be equal to po, some fixed state, for all messages p in the 
message space. This was initially proposed by Ambainis, Mosca, Tapp and de Wolf in 2000 [1]. 
This definition was later relaxed by Hayden, Leung, Shor, Winter [7] by requiring that the distance 
between the cipher text and the perfectly mixed state be smaller than some security parameter e. 
They also made the critical assumption that the eavesdropper was not entangled with the sender, 
an assumption which was not necessary in [1] - we also impose this condition in order for our 
scheme to work. Unfortunately, their proof was not constructive, but they proved that there exists 
an encryption scheme such that the key length is n + log(n) + 21og(l/e). Ambainis and Smith [2] 
then gave explicit polynomial-time constructions that can reduce the key space further in certain 
conditions. Their first construction uses n + 21og(n) + 21og(l/e) + 0(1) bits of key to encrypt n 
qubits. Their second construction, which is not length preserving, even goes down to n + 2 log(l/e) 
bits of key per n qubits. 

In this paper we shall reduce the key size even further. We shall prove that a generalization of 
a scheme proposed by Dodis and Smith can actually use less key, that is n — t + 21og(l/e) bits 
of key for n qubits, where t represents the min-entropy of the adversary on the message space. 
This means that if t is greater than 21og(l/e), which is not unreasonable, then the scheme actually 
requires less than n bits of key for n qubits. We achieve this by generalizing the entropic security 
and indistinguishability definitions contained in [5] to a quantum setting. We also prove their 
equivalence. These definitions look quite simple and straightforward, but in fact are quite unsettling 
to anyone close to the quantum computing community. The paper is divided as follows: in Section 
[2] we present our definitions of security and discuss the details of their interpretation. In Section 
[3] we prove that they are equivalent. In Section we present an encryption scheme and prove 
that it uses n — t + 21og(l/e) bits of key for n qubits. Further contributions of this paper are: 
1) a much simpler proof of the equivalence for all functions between our two definitions; 2) the 
first information-theoretic quantum encryption scheme which does not require more key than its 
classical counterpart. We assume that the reader is well- familiar with quantum information theory, 
that is linear algebra, POVMs, super-operators, distance measures and operator decompositions. 
For an introduction see [8]. 

2 Definitions 

We are interested in the following scenario. The sender chooses a message from a known message 
space and encrypts the message. We want that whenever an adversary intercepts an encryption 
it can not predict any function on the message. More formally, let an interpretation of p = 
J2j Ij \ j) 01 be an ensemble {(pi, <7j)} such that p = YliPi (J i-> we sa y a i ^ s compatible with p. This 
is the eavesdropper's view of the message space — i.e. the a priori knowledge of the adversary is 
given by the ensemble {(pi,cri)}, which consists of all the possible messages (by which we mean 
valid density operators, or physically possible messages) with non-zero probability along with their 
probability. We want that whenever the sender chooses a message Oi and encrypts it using a cipher 
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£, then no eavesdropper which intercepts £(<7j) can guess any function of 0{. We will require 
this property to hold for all p with sufficiently high min-entropy, where H^p) = i/ oc ({7j}) = 
— log (max,- (7, )). Naturally, this question is pertinent in a context where interaction is not desirable 
or too costly to use. 

Definition 1. An operator £ is an encryption scheme if there exists another operator D such that 
for all states p we have T>(£(p)) = p. 

Definition 2. An encryption scheme £ is said to be (t, e)-entropically secure if for all states p such 
that i?oo(p) ^ t, all associated interpretations {(pi,o~i)}, and all adversaries A there exists A' such 
that for all functions f we have 



A few explanations are in order. First, in this equation, only one state is physical, that is, £{o~i). For 
this equation to be meaningful, all other states are not considered to be physical but purely mathe- 
matical. By this we mean that the <7j are considered to be strings of bits that can be interpreted as 
density operators. This is reasonable since A 1 never gets his hands on any ciphers, exactly as in the 
traditional definition. Hence, {{pi, o~i)} simply is the a priori knowledge of A and A' on the message 
space from which the sender samples. We therefore naturally consider that the output of /(<Tj) is 
simply a string of bitsU Furthermore we do not impose any restriction on /. In particular, we do 
not require that / be a physical process, hence / is not required to be linear or to be a function on 
operators — g(p) = Y^idilj) \j) 

Hence A has to predict the output of the function / on the string of bits that represents the state 
<7j, which is unknown to A, by only analyzing £{o~i) which is a physical state — no restriction are 
put on A, we only require it to be a physical process, i.e a POVM. The adversary A' does not 
get this chance, he must predict the same function / on the same bit string but having access 
to nothing but the message interpretation {(pi,cri)}. The obvious best strategy for A' is to bet 
on the most probable output for /, since all other outputs have less chance of occurring. So by 
definition Prj[A'(-) is right] = Maxy = max 2 Prj[/(<7j) = z] where Z = {z} is the set of possible 
outputs for the interpretation {{pi,o~i)} — note that we assume that A and A' know the correct 
interpretation which is considered to be the message space. Quantum entropic security states that 
if A can predict the function / with a given probability, then this probability can be matched by 
A' up to e, equivalently Pvi[A(£(ai)) = /(cj)] ^ Maxj + e. 

As in [6] and [5], we can introduce a notion of indistinguishability and then show that indistin- 
guishability and entropic security are equivalent. 

Definition 3. An encryption scheme £ is said to be (t,e) -indistinguishable if for all operators p 
such that H OQ (p) ^ t we have 



1 Note that probabilities are not taken only over i, but also all randomness used by A, A' and £. 

2 Note that instead of considering functions on strings of bits, one could consider that the function / acts on the 
indices i of m and get an equivalent framework. 
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where d is equal to the dimension of the message space. 



We use the following definition for the trace distance: \\p — o~\\ tl = ^tr \p — a\ and |j4| = V A^A. The 
following theorem, Theorem 9.1 in [SJ, will be useful. 

Theorem 1. Let {E m } be a POVM with p m = Tr (E m p) and q m = Tr {E m a) as the probabilities 
of obtaining a measurment outcome labeled by m. Then 



D(p, a) = max D(p m , q m ) = max < ]- |Tr (E m (p - a))\ \ 

{Em} {E m } I Z m J 

where the maximization is over all POVMs {E m } and D(p,a) = | \\p — cr\\ tr . 



(3) 



It is now time to introduce one assumption we are making all along this article. We assume that 
£{I/d) = I/d, which is true for all reasonable schemes we know: our cipher in section [4] will have this 
property. This is very powerful since we can, by the spectral decomposition theorem, decompose 
I/d in the basis of our choice, in particular the basis of £{p). This is equivalent to saying that I/d 
and £{p) commute (which is trivially true for I/d), hence that the trace distance between the two 
operators is equal to the statistical distance of their eigenvalues: \\£(p) — V^lltr = z)- This 

basically means that ft, e)-indistinguishability implies that there is no POVM that can distinguish 
between £{p) and I/d[ 



3 



It is also easy to see, using the triangle inequality, that Definition [3] implies: 

Definition 4. An encryption scheme £ is said to be weakly (t,e) -indistinguishable if for all oper- 
ators p and p' such that H^p) ^ t and H^p') ^ t we have 

\\£(p)-£(p')\\ tr <2e. (4) 



Obviously weak (i, e)-indistinguishability implies (t, 2e)-indistinguishability. We must introduce a 
fourth notion which is a strong version of Definition [2j 



Definition 5. An encryption scheme £ is said to be strongly (t,e)-entropically secure if for all 
states p such that H ao (p) ^ t, all interpretations {(pi,o~i)} and all adversaries A we have for all 
function f 

\Pn[A(£ (o-O) = f(o-i)} - Pvi[A(£(p)) = f(ai)}\ < e. (5) 



The only difference with Definition [2] is that we have restricted the notion of A': this adversary is 
now the same as A but it receives an encryption of p. Basically, Equation ([5]) means that whatever 
A can compute from £ (cr,), with probability up to e he could have computed it using only an oracle 
serving an encryption of p which is totally independent of <7j. This strategy is clearly worse that 
the optimal one, since 

Pr<[A(£(o-i)) = f(o-i)\ ^ Pxi[A{£(p)) = f(aj] + e ^ Ma X/ + e, (6) 
3 See [8] Chapter 9 for a proof these statements. 
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because no strategy can do better than Maxj without seeing the cipher text. Therefore, it means 
that £{■) must be a better scheme to achieve this definition, since A can not do much better than 
this worse strategy can do (e better at best). Furthermore, not only does there exist an adversary A' 
but this adversary can be easily constructed using A as a black box. Hence strong-entropic security 
implies entropic security. 

As is traditionally the case in semantic security, Definition [2] carries the meaning of what is consid- 
ered a secure encryption scheme. Definition [3] will allow us to prove that a given scheme is secure 
and Definition [5] will let us show easily that these two definitions are equivalent for all functions 
and not just for predicates. 



3 Equivalence between the two paradigms 

Lemma 1. Strong (t, e)-entropic security implies (t—1, 2e) -indistinguishability as long ast< n—1. 
Proof : 

We are translating, for this lemma, the proof from Dodis and Smith to the quantum setting. The 
last part, for non-orthonormal states, is new to this work. It is well known that a classical i-source^ 
can be decomposed into a convex combination of flat sources over 2* pointa^l Moreover the two are 
linked in an easy way: if X is a classical t-source, and Y is an equiprobable distribution on the first 
2* points (the order is arbitrary), then there exists {Pi} such that X = Y^iPiPiX, where ^2iPi = 1 
and the Pj's are permutation matrices. 

It is less known, yet also true, that we can say the same thing about density operators. Let p be a 
state such that H^p) t and let a be a perfectly mixed state with H^a) = H{o~) = t (i.e the 
support(cr) has size 2*). Then we can decompose p this way 

P = J2p i U i aUl (7) 

i 

where YliPi = 1 an d the Ut's are unitary operators. It must also be said that if p and a commute, 
then the U{S are just permutation matrices^ 

These observations will allow us to prove the lemma for flat sources of entropy t — 1 only. Indeed, 
£ can not decrease entropy, so H oa (£(p)) ^ t and I/d is of course a t source. So we can write 
p = ^2iPiXi where X{ = UiaUj , the t/j's are permutation matrices and a is a flat (t — l)-source 
which we choose in the eigenbasis of p. Similarly, we can write I/d = £^ QjYj, where Yj = VjaVj 
(the reader should keep in mind that we can diagonalize I in the basis of our choice, so we choose 
the eigen-basis of p, hence p, I/d and a all commute with one another). We know that £(I/d) = I/d. 

So \\£{p) -£{I/d)\\ = £(Y,iPi x i) -ZiYljQjYj) Since YsiPi = J2jQj = !> we can write tms: 



£ ((T,j Qj) T,iPi x i) - S ((T,iPi) Ej QjYj) which simplifies to PiqjX { ) - £ (Ylij Pi<lj Y 3 



4 A t-source is a random variable with min-entropy no less than t. 

5 A £-flat source, is a uniform distribution over 2* points. 

6 For a proof of all these statements, read the section on majorization theory in [8]: Section 12.5.1. 

7 We have dropped momentarily the tr indices to the trace distance for compactness. 
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Since £ is a linear operator we can rewrite everything this way: 



which we can simplify to 



J2i j PiQj(£(Xi) — • Using the triangle inequality, we can conclude: 

\\£(p) - £(I/d)\\ ^ "£PW II* M " S ^)\\ • ( g ) 

This equation tells us that if all terms \\£ (Xj) — £ (Yj)\\ are less than 2e, then Equation ([8]) is 
bounded by 2e and in particular the cipher must be (t — 1, 2e)-indistinguishable. 

So let Wo £ {Xi}, where, p = YliPi-Xi and let W\ 6 {Yj}- Assume for now they have orthonormal 
support. Consider the operator Z = 1/2 Wo + 1/2W\: an equal mixture of the 2 states. By construc- 
tion, HoziZ) = t. Define the predicate g such that for any state to compatible (see page [2]) with 
Wo, g(ro) = 0, and for any state n compatible with W±, g{T\) = 1. It is not necessary to define the 
value of g for any other state. Any adversary, A, that can predict g given £(rb), for b £r {0, 1}, is 
therefore a distinguisher between £(Wo) and £{W\). 

It is common knowledge (see [5J) that, at best, such an adversary can do this with probability: 



Prj.Uf (t-,,!) - ,,(7-,,) b\ + i ||f (Wb) - W)|| tr • (9) 



We can now invoke the entropic security definition. So we can also write: 

Pr[A(£(r b )) = g(r b ) = b] < PrLA'Q = 5 (r b ) = 6] + e = i + e. (10) 

By construction no adversary j4' can guess the correct answer with probability better than one 
half. Using Equations ([9]) and (|10p . we can conclude: 

[|£(W )-£(Wa)|| te <2€. (11) 

We are almost done. Let us now suppose that Wo and W\ are not orthogonal but not equal. Let V 
be the space spanned by their intersection. This space, V is well defined and V is not equal to Wo 
nor W\. Because p and I/d commute and because we already concluded that Wo and W\ commute, 
we can treat these objects as classical distributions on classical points, and treat their eigen-basis 
as points in sets (We abuse notation in that spirit here). Hence we can create a new state W'o such 
that Wo n Wq = Wo \ V and Wq n W\ = 0. We can do this since t ^ n — 1, so we have plenty of 
space to choose new points. Of course we choose Wq such that it has min-entropy equal to t — 1 and 
such that it is a t — 1 flat source. Obviously, by construction we have \\Wo — W\\\ ^ ||Wq — W\\\, 
hence, using our argumentation for orthogonal states, and the fact that Wo, W\ and Wq commute, 
we can conclude that 

||£:(Wo)-f(W 1 )|| tr ^ \\£(W ')-£(W 1 )\\ tr ^ 2e. (12) 

QED. 

Lemma 2. Let p be a state such that H 00 (p) t and let {(pi,(Ji)} be an interpretation of p. Then 
for all i we have that pi ■ X ma xi ^ 2~* ; where Xmaxi is the biggest eigenvalue of at. 
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Proof : 

Suppose, on the contrary, that Pi-X maXi > 2 . S ince Xmaxi is an eigenvalue of o~{, there exists a vector 
\v) such that (v\ Ui\v) = Xmaxi ■ These two observations together let us write (v\ p\v) ^ pi (v\ ai\v) > 
2~*. We also know that p = £ fc 7fc| fc > so (v\p\v) = J2k^k(v\k) (k\v) < £ fc 2~< (v\k) (k\v) = 2~*. 
Hence we conclude that 2 _t < (v\ p\v) ^ 2 - *, which is an obvious contradiction. 
QED. 

Lemma 3. Let p be a state, {(j>i,(Ji)} be an interpretation, £ be a cipher, f be a function and A 
be an Adversary such that 

IPr^fa)) = /(*)] " Pri[A(f (p)) = /((7 f )]| > e, 
i/ien i/iere exist an adversary B and a predicate h such that 

\PTi[B(£ (en)) = h(oi)] - ?Vi[B{£ (p)) = h(<ji)]\ > |. 

Proof : 

Let our predicate be a Goldreich-Levin predicate, that is h r (x) = r fix), where denotes the 
scalar product of the binary vectors represented by the strings f(x) and r. Let p = PrjL4(£(<7j)) = 
f((Ti)] and q = Pii[A(£(p)) = f(o~i)]. Then we know that \p — q\ > e. Let us compute 

E = |E r [Pr;[r A(£(ai)) = h r {ui)} - Pn[r A{£(p)) = h r (ai))]\ , (13) 

where the expectation is taken over all r of adequate size. We need two observations. First, when A 
predicts correctly, then Prj[r A{£ (cj)) = h r (<Ji)] = 1. Second, when A does not predict correctly, 
the probability that r A{£ (cj)) = h r [<Ji) is exactly one half. Hence Equation (fTBI) reduces to 



l- p + i. (l-p)- ^i . g+ i.(i- g ) 



E 

There exists at least one value r such that the following is true: 





p-q 
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> 5- < 14 > 



|Pr f [r A(f (<7j)) = fcrM] - Pr S [r O ^(£(p)) = M»i)]l > \ 

The lemma is proven if we define adversary B(-) as r A(-) for this appropriate r. 
QED. 



Lemma 4. (i — l,e/8) -indistinguishability implies strong (t, e)-entropic security for all functions 
as long as t ^ n — 1 . 

Proof : 

The proof technique used in this lemma is new to this work, as far as we know. 

Suppose that there exists an adversary B, a state p, where H^p) ^ t, an interpretation {(pj, Oj)} 

for p and a function / such that 

|Pr, [B(£(a t )) = f(a t )] - Pr f [B(f (p)) = f(a t )]\ > e. (15) 

We want to show that this adversary implies that the encryption scheme £ is not (t — l,e/8)- 
indistinguishable. Then, by the previous lemma, we know that there exists another adversary A 
and a predicate h such that strong (i, e/2)-entropic security is violated. Let us define two sets Eq 
and Ei this way: 
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- Eq = {i\h{ai) = 0} 

- Ex = {i\h(<Ti) = 1}. 



Let r = Eiefio^ and ri = SfeEi^- Let T ° = (Ei G £ K^)A*o and T i = (Eig^Pi^i) M- 
Obviously, p is equal to t^tq + r\T\ and both tq and t% are valid density operators. So if we restate 
the entropic security violation in terms of the Tj, we get 



|Pr; [A(S(n)) = h( n )] - Pvi [A{S{p)) = h(ji 

where h{ji) = i. The adversary A is a POVM with two elements 
equation (fT6|) this way: 



(16) 



Aq and A\ — , so we can rewrite 



£ pjTr (A h(Ti) f (ri)) - Tr (4 fc(Tt) £ (p)) 



i=0,l 



(17) 



where Tr (^7) is the probability that A on 7 outputs /c, in our case, there are only two possible 
outputs: zero and one. From the last equation, since there are only two terms in the sum, we can 
conclude that there exists i such that 



pjTr (A h(Ti) £( n )) - Tr {A h(n) £(p)) 



e 

> -• 

4 



(18) 



Let us assume without loss of generality that i is in fact zero and let us construct the two following 
states (choosing i to be one, would lead to a similar argument): 



To = r T + ri~ 

I A 1 I 



Obviously, p' is a i-source since it is a convex combination of two i-sources. On the other hand, 
the largest eigen- value of Tq cannot be larger than 2 - ' + n * 3 (we have used Lemma [21 and the 
fact that we can decompose I/d in the same basis as the eigen basis of To). Since r\\jd ^ 2~*, we 
conclude that the largest eigen-value of Tq is not larger than 2 _ (*~ 1 ). Hence, H^t'q) ^ t — 1. 



Let us now compute the following expression: 

\Tr{A h(T0) £(T> Q )) - Tr(A h{T0) S{p')) \ = |Tr [A h{To) {£ fa) - £ (//)) | , 



(19) 



which will give us a lower bound on the trace distance of £(tq) and £(p') as Theorem Q] tells us, 
since ^4/i(r ) 1S a fixed POVM element. 

Tr(A h{To) £(4))-Tr(A h{To) £(p')) 



Tr A 



l h(r )£ ( r T + ri- 



Tr (A h[To) £ (r 7b)) + Tr U Mtq) £ (n- 
r (Tr (A fc(70) £ (r )) - Tr [A h{jo) £ (p)) 



Tr (A MTo) f (r p)) - Tr ^ (to) £ n 



e 

>4' 
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where the last step comes from equation (|18p . Hence Tq an p' constitute a violation of (t — 1, e/8)- 
weak-indistinguishability, which in turns implies a violation of the (t— 1, e/8)—indistinguishability. 

QED. 

We can summarize the two last lemmas in this theorem. 

Theorem 2. Entropic security and entropic indistinguishability are equivalent up to small varia- 
tion in parameters. 



4 A quantum entropic encryption scheme 

We now present a generalization of the scheme proposed in Section 3.2 of [5J. The proof technique 
used here is new to this work and achieves slightly better results than [5]. 

Definition 6. LetTC n = be a family of permutations over n bit strings. Consider the event 

A = hi{x) © hi(y). We say the family TC n is strongly-XOR-universal if for all x, y and all a ^ we 
have 

Pr^_/[A = a] ^ i 

The family proposed in [S] naturally possesses this property. Notice that the probability of seeing 
A = a = can be much larger than l/2 n : in fact it is equal to the collision probability of the input. 



Proposition 1. Let TC2n.be a strongly- X OR- family of permutations. Consider the super- operator 
£(p) = (i,X a Z b pZ b X a ) where i is chosen at random uniformly over 2n bit strings and a\\b = 
hi(k), where k is the secret key (a\\b denotes the concatenation of the strings a and b). Then E is 
a quantum cipher. 

Theorem 3. The cipher of proposition^} is (t, e) -indistinguishable for all state p such that Hoo(p) > 
t as long as H^if) + H oc (/9) ^ n + 21og(l/e). 

Proof : 

We will use the following trick: if p has rank d and Tr (£(/j) 2 ) ^ l/d(l + e 2 ), then \\£(p) — I/d||tr ^ 
which implies the desired (t, e)-indistinguishability|£] The adversary's view can be written this way: 

s X a Z b = x ai Z bl ® ■ ■ ■ ® x a ™Z b " if a = ai . . .a n and b = 61 . . . b„. 
9 See 12] and [5]. 
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pi = £( p ) = K aAi [i <g> X a Z b pZ b X a ]. We are interested in the following quantity TV (£(p) 2 ). So 



Tr (£ (p) 2 ) = —TV 
-TV 
rTV 



1 

]7| 
1 

|7| 
l 

W\ 



i 



TV 



(¥. k)kl;i [X a Z b pZ b X a X c Z d pZ d X c ] 
(E k ^ 4 \Z d X c X a Z b pZ b X a X c Z d p] 
(E k ^4(-l) dQc {-l) dQa X c X a Z d Z b pZ b X a X c Z d p\ 
(E kjk ,4((-l) d&c ) 2 {{-l) dGa ) 2 X c X a Z d Z b pZ b Z d X a X c p\ 
(E ef)l [X e Zf P ZfX e p] 



(20) 
(21) 
(22) 
(23) 
(24) 



where a\\b = hi(k) and c\\d = hi{k') and where k and k' are independent instances of the key. Also 
e\\f = (a © c)\\(b ® d) = (a||6) © (c||<i). By Definition [6j we know that the probability of seeing any 
string e\\f, different from zero, is bounded above by l/2 2n . Let us divide Equation (|24p into two 
terms, one for e\\f = and the other for all the e\\f ^ 0. Let us introduce the following notations: 
p e f instead of X e Z$ pZ$ X e and p e f for the probability that e\\f is observed. Thus, we can rewrite 
everything like this : 



Tr (£(p) 2 ) = -TV 



\ 



\K\ 



+ 



PefPefP 



\ 



where e||/^0 



(25) 



Observe two things: for all e\\f / we know that p e j ^ l/2 2n and J2 e f^Pef = 1/2") the 
perfectly mixed state. Quantum mechanic also tells us that TV (per) is the expectation of the observed 
eigenvalue if one measures the observable p on the state a. A specific case is TV (-^p) = 1/2™, since 
all eigenvalues of the perfectly mixed state are equal to l/2 n , the average can not be different from 
this number. 

Let A be the positive operator e,f Pef Pef ■ From the previous observations, we can conclude that 

there exists a positive operator B such that A + B = I/2 n — B = —p e f)p e f and p ||0 = 0- 

Therefore Tr ((A + B)p) ^ i, thus Tr (Ap) + Tr (Bp) ^ ^ and finally Tr (Ap) ^ ^. 

So we can rewrite Equation ([25]) this way: 



(26) 



Let us denote H oc (i ; C) by tx = log \K\ and H 00 (p) by t p . By hypothesis, we have YLoo(K) +H oc (p) ^ 
n + 21og(l/e), hence 2 n ~ tk ~ t f> ^ e 2 . We can thus rewrite ([26]) this way: 



|I| 2 r > 

since Tr (p 2 ) ^ l/2 tp . This, in turn, implies that £(p) 

21og(l/e). 

QED. 



dlltr 



(27) 



^ e for t k = log | if | ^ n — t + 
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5 Discussion 



We have proposed two new definitions of security for quantum ciphers which are generalizations 
of entropic security and entropic indistinguishability. We have proven the equivalence of the two 
definitions up to slight variations of the parameters t and e. We also presented the most efficient, 
in terms of the key size, quantum encryption scheme known yet. It is not hard to prove that the 
three schemes presented by Ambainis and Smith in [2] are all (t, e)-indistinguishable. Furthermore, 
the first of these schemes, which uses <5-biased spaces, was also presented as a classical entropically- 
scheme in [5] . Surprisingly, the quantum version of this scheme does not require longer key than its 
classical counterpart. So we ask (dare we conjecture ?): is entropic security a sufficient relaxation 
of information theoretic security so that quantum ciphers require no more key than their classical 
equivalent? If so, is this the simplest such relaxation possible? 
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